Learn about persistence in cybersecurity, including common malware persistence mechanisms and advanced persistent threats (APTs).
This article is from The Defender's Handbook:
A knowledge base for cybersecurity enthusiasts to level up their
cyber knowledge - one article at a time.
Persistence has become a go-to attack tactic for today’s threat actors.
As hackers have evolved their tradecraft, they’ve become stealthier—ensuring that they can lurk in their desired environment for as long as they need to accomplish their mission. While other attacks, such as ransomware, are loud and overt, persistence enables attackers to stay hidden - unless defenders know what to look for.
Read on to learn:
Persistence enables malware by allowing the malware to keep running—all while the attacker remains undetected.
Persistence in cybersecurity occurs when a threat actor discreetly maintains long-term access to systems despite disruptions such as restarts or changed credentials. Bad actors can place an implant or a “stub” that both evades automated antivirus solutions and kickstarts more malware. This malware is usually hidden in legitimate startup folders or within scheduled tasks and services, making it harder to find.
After you reboot your system or log off and on again, the stub or malware is retriggered to run again. In other words, persistence enables hackers who gain access into your environments to keep it – oftentimes without you knowing they have access in the first place.
Persistence can be used to keep malware running – and to spread other malware if they so choose. Attackers can use persistent malware to maintain access to a network as they search for the data they want to steal. They also sometimes use persistent malware to conduct other types of shady activity, such as click fraud or cryptojacking.
Malware Detection
Luckily, persistence can help defenders detect malware. When defenders find persistence, they can eliminate it, cutting off the threat actor’s access and stopping attackers in their tracks.It’s important to note that detecting malware is only a temporary solution to the bigger problem: persistence. If defenders don’t find the persistence in the environment, threat actors can simply recirculate the malware. Malware detection treats one symptom without addressing the root problem. That’s why it’s critical to find – and eliminate – persistence.
Advanced persistent threats, or APTs, are a type of persistence-enabled attack. However, not all persistence-enabled attacks are APTs.Persistence-enabled attacks that are advanced—such as those carried out by nation-state cybercrime groups—are APTs. In contrast, persistence is a more general term to include both advanced attacks—as well as attacks that lower-level threat actors and groups execute.
Perhaps the most well-known example of an APT is Stuxnet. Stuxnet was created in the early 2000s by the United States’ National Security Agency (NSA) and Israel’s cyber division of their military (Unit 8200). This APT was created in an effort to disrupt Iran’s nuclear program.
. The malware searched the operating system for Siemens Step 7 software – the software that industrial computers serving as PLCs (programmable logic controllers) used to monitor electro-mechanical equipment. Once the malware identified the software, it automatically updated the software’s code to send instructions to the equipment to damage itself. Simultaneously, the malware sent wrong information back to the main controller, allowing the malware to remain undetected – even to the humans who were monitoring the equipment – until the equipment began to malfunction.
Ultimately, Stuxnet and destroyed nearly 1,000 centrifuges at Iran’s Natanz nuclear facility.
Download our Persistence Knowledge Kit. This kit has everything you need to outsmart hackers who try to hide in plain sight.
Typically, persistence falls in the middle of the cyber kill chain. After hackers gain access to an environment, their goal is to keep that access without being detected.Below are the five main stages in the cyber kill chain.
Goal: Gather as much information as they can.
This step is critical in solidifying an attack's "mission." Any information gathered-whether it's specific vulnerabilities to exploit or users to phish-can be leveraged by the adversary to aid in other phases of their workflow.
Goal: Find a way in.
During this phase, hackers will do anything they can to gain unauthorized access to their target's system. The method chosen here often reflects more on the skills of the attacker than the weaknesses of the target, but common techniques include social engineering, website hacking or vulnerability exploitation.
Goal: Stealthily maintain access without getting caught.
This step is all about establishing and concealing their presence. Techniques used for persistence include any access, action or configuration changes that let an attacker maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. Not only does this buy them more dwell time without raising any red flags, it also allows them to hide the intrusion long after they have left.
Goal: Get a lay of the land.
Hackers use this phase to gain knowledge about their target's system and internal network. Adversaries will typically explore what they can control within the environment and what's around their entrypoint in order to discover how it could benefit their current mission.
Goal: Make their malicious move.
At this point, it's time to set the plan in motion. This execution stage can take many forms-it all depends on the initial mission, the skill level of the hacker or what they've discovered along the way. The outcomes here could be anything from data exfiltration, dropping ransomware, mining cryptocurrency, vandalizing a website, or even selling their access or stolen credentials. Whatever the motive, it's usually malicious.
, which compiles information about adversary tactics based on what’s being seen in the real world, has identified 19 different known malware persistence mechanisms that attackers use to lurk in environments undetected. Out of those, we tend to see hackers establish persistence in one of three ways:
This common malware persistence mechanism involves a hacker who abuses a legitimate operating system process—for example, a system reboot or logon. A hacker achieves persistence by adding an entry to the run keys in Windows Registry or the Startup folder. As a result, any referenced programs will be executed when a user logs in.
For this persistence technique, hackers typically use local credentials or an administrator account to run scripts that are automatically executed at boot or logon to establish persistence. In turn, attackers can execute other programs or send information to an internal logging server.It's possible to decrease your chances of being impacted by this common malware persistence mechanism if you ensure proper permissions are set and restrict write access to logon scripts to specific administrators. However, this isn’t a foolproof preventive measure.
This persistence mechanism occurs when an attacker abuses the task scheduling feature to jumpstart the initial or recurring execution of malicious code. A common method is abusing Windows Task Scheduler, which can be used to execute programs at system startup or on a scheduled basis. As an example, TrickBot, a trojan spyware program, has been known to create scheduled tasks on compromised systems in a way that provides persistence for the attack.
Because all major operating systems feature utilities to schedule programs or scripts to be executed, this persistence mechanism is a risk for nearly everyone. The key to detecting this common malware persistence mechanism is to regularly review your task scheduler to eliminate any changes to tasks that don’t correlate with known software, patch cycles and so on
Let’s say, for example, an attacker is able to compromise a system and create a scheduled task that automatically executes the following command every time the machine starts up:cmd /c “start /b
This kicks off a new command prompt in the background.:ʰDzٲٲ4875674.”
This is the location of the batch file to be executed.At a glance, it's easy to focus on the second half of this command; there's clearly a very unusual-looking file being called. Let’s go ahead and open the file to see what’s inside:net user eviluser “myEvilPassword” /ADD
net localgroup administrators eviluser /ADD
This batch file adds a new backdoor account with administrative privileges.In this case, the challenge an automated security tool would have is validating malicious intent with this scheduled task -and that’s to the benefit of the attacker.Many preventive tools require a high degree of confidence that malicious activity is occurring before stepping in. Creating a username and password through a command line prompt could actually be a legitimate administrative task. Therefore, most security products will allow the action to continue in order to avoid potential disruption for the end user. All the while, the attacker can stealthily hide in the software’s blindspots.This is why persistence is an attacker’s greatest ally. It provides secret, backdoor access that’s hidden within the existing parts of an operating system.
Many companies that produce security tools claim they can find and eliminate persistence through artificial intelligence (AI) and automation. The problem is that persistence, by design, is stealthy to remain undetected. It often accomplishes this by using forms of obfuscation or evasion techniques that automated tools won’t catch.
Humans, on the other hand, have the contextual awareness to see if something doesn’t look right. This is why threat hunting combines innovative technology with human intelligence to identify attacks that are missed by automated security tools alone.Human threat hunters and innovative technology are the dynamic duo that can find and eliminate persistence.
The ĢTV Managed Security Platform was designed to detect persistence mechanisms to identify and evict threat actors from your environments. Start your free trial today.
Try ĢTV for Free